September 6, 2013

We recently implemented two factor authentication for VPN access to our LAN. We use Yubikeys from Yubico to provide one time passwords (OTPs) which, when combined with the domain login and password, protect us from an array of attacks that password-only solutions can never solve.

You hang yubikeys on your keychain so you always have them with you and there are zero interoperability concerns (unlike smartphone solutions such as google’s authenticator). A yubikey requires no battery but draws its power from the USB port you plug it into. To your computer, it looks just like a keyboard, and pushing its green button will make it type 44 letters followed by <enter>, as if you typed it.

We wanted to use the standard windows VPN client built into windows 7, so we can connect from any computer running windows 7 without having to install custom software. In the most straightforward deployment, you append your Yubikey OTP to your normal domain password. But it turns out that the windows 7 VPN client supports a maximum of 48 characters for the password, after which it starts truncating from the start of the password. Since the yubikey OTPs have 44 characters, that supports only passwords up to 4 characters, which of course is far below the acceptable range of domain password strength.